Fatskills
Practice. Master. Repeat.
Study Guide: SSCP: 8. Monitoring and Analysis
Source: https://www.fatskills.com/systems-security-certified-practitioner-sscp/chapter/sscp-8-monitoring-and-analysis

SSCP: 8. Monitoring and Analysis

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~3 min read

Events of interest are known events that an organization wants to detect and record. Some events of interest are potential security incidents that need to be investigated. Others are events logged for compliance monitoring. A. intrusion detection system (IDS) provides continuous monitoring and sends alerts to report suspicious activity. Administrators investigate alerts to determine whether they are actual attacks or false positives. NIDS agents are installed on network devices and send data back to a central network-based IDS (NIDS) management server. This server analyzes the activity throughout the network and provides notification when an alert occurs. A host-based IDS (HIDS) monitors activity on an individual system, such as a server or workstation, and provides notifications as alerts. Notifications are typically recorded in logs but can also be sent as e-mails or text messages. An intrusion prevention system (IPS) is placed inline with the traffic and can modify the environment to block attacks in progress.
IDSs and IPSs use two primary detection methods. A signature-based (or knowledge-based) system has a database of known attacks and compares live activity with this data. This is similar to how AV software uses signature files to detect malware. An anomaly-based (or behavior-based) system starts with a baseline of normal activity. It then monitors ongoing activity to determine whether there is a significant change or anomaly. Anomalies are reported as alerts and need to be investigated. Many systems use a hybrid model of both signature-based and anomaly-based detection methods.
One of the benefits of NIDSs over HIDSs is that the log files are stored remotely on the central server. A HIDS stores the logs on the host, and an attacker can modify or delete the logs, erasing the record of the attack.
Many times an organization wants to detect unauthorized changes. Tools such as file integrity checkers monitor files and can detect unauthorized modifications.
Honeypots are systems with fake data designed to attract attackers, diverting them from a live network. They also give security professionals an opportunity to observe attacks in action. Honeynets are groups of two or more honeypots to simulate a network.
Security information and event management (SIEM) applications are unified continuous monitoring systems. They collect data from multiple sources and typically include tools to aggregate, correlate, and analyze the data. IT administrators analyze the output of a SIEM application and escalate incidents when appropriate by communicating their findings to other personnel.
Most organizations perform security assessments to detect potential security issues. A vulnerability test attempts to discover vulnerabilities and provide recommendations to mitigate the associated risks. Testers can use nontechnical means, such as social engineering tactics, and use technical means with tools such as Nmap and Nessus.
Penetration tests go a step further than a vulnerability test. They attempt to exploit a vulnerability. Penetration tests are more intrusive and have the potential to cause damage, so they should be performed with utmost caution and stopped before inflicting any actual harm. Testers should obtain written permission prior to beginning either a vulnerability assessment or a penetration test. Both vulnerability assessments and penetration tests provide a report to management as the last step.
Both vulnerability tests and penetration tests can be white box (full knowledge), black box (zero knowledge), or gray box (partial knowledge) tests.



ADVERTISEMENT